Analysis
-
max time kernel
123s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
19-05-2024 10:30
General
-
Target
5fbdf8ec2016bd1182896f1dda346d12af71fb3fbfdca4ae7f9d0266151dbd2e.exe
-
Size
176KB
-
MD5
0e8acf4f2931765ede72461518632120
-
SHA1
f5d5c4b54584014c1c5d6c8b7f936e286b2d86b1
-
SHA256
5fbdf8ec2016bd1182896f1dda346d12af71fb3fbfdca4ae7f9d0266151dbd2e
-
SHA512
99e8819ae3ef4a27de5a1faab97407e90f4a2f67b9ab5228a3c79dd6e6fb2ab0bc0041e77134f3fe6820557d1c063378227bbc47d09433fa0bb5a28bf43ae8a3
-
SSDEEP
3072:kVJvcLqR7QAJJ+JwBVWWvMaRDr0td4LVXA:ZLq1nvRDr+d4JA
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 21 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5fbdf8ec2016bd1182896f1dda346d12af71fb3fbfdca4ae7f9d0266151dbd2e.exe"C:\Users\Admin\AppData\Local\Temp\5fbdf8ec2016bd1182896f1dda346d12af71fb3fbfdca4ae7f9d0266151dbd2e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\WINDOWS\system\Fun.exeC:\WINDOWS\system\Fun.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SVIQ.EXEC:\WINDOWS\SVIQ.EXE4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\WINDOWS\dc.exeC:\WINDOWS\dc.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD50e8acf4f2931765ede72461518632120
SHA1f5d5c4b54584014c1c5d6c8b7f936e286b2d86b1
SHA2565fbdf8ec2016bd1182896f1dda346d12af71fb3fbfdca4ae7f9d0266151dbd2e
SHA51299e8819ae3ef4a27de5a1faab97407e90f4a2f67b9ab5228a3c79dd6e6fb2ab0bc0041e77134f3fe6820557d1c063378227bbc47d09433fa0bb5a28bf43ae8a3
-
Filesize
100KB
MD5c57b2f70d5007e9a723c78fc96f471b9
SHA1d0c969894688544fe217d5234a7872925dd98503
SHA25695126861e1d98612ff1ae5c086fca06f13b937b637be9e2fab50bc8e97faf40e
SHA51228d1c51bab50bd5efab1b02511f9ca8e063ee17ad4b3de4b5917a4c6c1da2108b10853bbbe6a2d8c10b67f4f16a2144316accd034c05ba791e158513bad65fa7
-
Filesize
8KB
-
Filesize
180KB
-
Filesize
16.6MB
-
Filesize
180KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
180KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
180KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
180KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
180KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
180KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB